More than two million Android users have downloaded malicious apps that bypass security protections to get into Google Play, researchers warn.
Once installed, the apps use sneaky techniques to hide from the user to prevent them from being removed, while displaying malicious ads that can be linked directly to malware.
A total of 35 "clearly malicious" apps in the Google Play store were discovered and analyzed in detail by Bitdefender researchers.
If you have downloaded any of these apps, you should delete them immediately.
According to Bitdefender, many of the apps are still available for download.
One of the apps the researchers discovered is called GPS Location Maps and has been downloaded by 100.000+ users. According to the researchers, after downloading, the app changes its label from “GPS Location Maps” to “Settings” to make it difficult to find and remove, and constantly displays pop-up ads linked to malicious websites.
This, and many other dangerous apps identified by Bitdefender, simulate user clicks to click on ads, helping fraudsters make extra money from forced visits.
The hackers behind the GPS Location Maps application have gone to great lengths to ensure that the malicious application is difficult to reverse engineer and control, since the malicious Java file is encrypted. Even when the files are decrypted, the code cannot be read.
The malicious app still uses a technique to stay hidden – it doesn't appear in the list of most recently used apps on Android devices.
Each of the malicious apps uses similar post-download behaviors, serving ads while disguising the icon as something else to hide it. Some of the malicious apps that have been downloaded over 100.000 times are Personality Charging Show, Image Warp Camera and Animated Sticker Finder.
Each of the malicious apps is listed as the only app published by a single developer, but their email addresses and websites are all very similar, leading Bitdefender to believe that all of the apps could be the work of a single team or person. Other apps that have been downloaded more than 100.000 times include Personality Charging Show, Image Warp Camera and Animated Sticker Finder.
APK hashes
| Package name | Hash | Downloads |
| gb.packlivewalls.fournatewren | 83fc9c22697d23126105bef2ac956c83a9b5cc700a3635ba93ccf999d15be5cc | 100K + |
| gb.blindthirty.funkeyfour | 5df41117cfb8fdf4549c0cad570c30411770857783b40d7a0eb5cee5c9a01623 | 100K + |
| gb.convenientsoftfiftyreal.threeborder | 1dc46e16a7e477b9cd04a9a29c881254512d0ad5e89be6b120f30b06d4f5991b | 100K + |
| gb.helectronsoftforty.comlivefour | 92dcedc7054adde430407f430ee444ba6c0d70d5787eb92295360fc015b1f029 | 100K + |
| gb.fiftysubstantiated.wallsfour | beb0e689572650355ad39165cfee0f3695507a39213913a54718631cb5d17b6b | 100K + |
| gb.actualfifty.sevenelegantvideo | 1ccd7ac60d2caa3ffb56648ba5dfbd942f9ad0416de0c215f3d11457a5a36d55 | 100K + |
| gb.crediblefifty.editconvincingeight | 123a589ee242ee8ab1b072cbed287b4a20793e02f81a0cbe866ed346d68e0cb4 | 100K + |
| de.eightylamochenko.editioneight | 46141428f4c5d878b2644aa76cf96ad277e5038443698e4232fd3d9c0eb2ed1c | 100K + |
| gb.convincingmomentumeightyverified.realgamequicksix | 731a6d533edbedf5944f6d3660c3984ff41950d4b748e1e1c41b8457ccef0a4a | 100K + |
| gb.labcamerathirty.mathcamera | 9453085d60429987598c44c81693d733c38468bc233feefef46f84769c24fd15 | 100K + |
| gb.mega.sixtyeffectcameravideo | b40cca66d13d28745098fce90ac71d451ce28853ed81a7ff9f8bd908d91512db | 100K + |
| gb.theme.twentythreetheme | 0a366901588120665560c1e5dd0f7394ab6fedd4563c4c2951822b4194a8a42b | 100k + |
| gb.tolltwentytwo.ikey | d9bb7bf435c9af3e736bcc16626cf33e3b6e675a5f0a8fd1acd7e8c48e1bcd51 | 50K + |
| com.smart.tools.wifi | 0e4f1b1a22b059b95a828215739298335b1fff7f54cf85c1c75fc30ca5ca6cd6 | 10K + |
| jkdf.gds.gds.g | 4e5ea73770c5bee7fb8cbaeb188d2d7258ba8879cfdb4d459dfbdd7dd9a3e650 | 10K + |
| com.newsoft.camera | 9102fd2b2a6c38a36e344db0c836c05172aff9169ff4389195ade3cc47cd086b | 100K + |
| com.xmas.artgirlswallpaperhd | 985600862b5fc4de0ec62322bf9eee4b6c0cc3fc5db6f23cb65cbe81088a3c8d | 100k + |
| hj.jk.jikj.jkj | 0cf16f21330acfb9006e8fa1d67d5f6d48e0623390482ce4835d1064e38c58d6 | 50K + |
| com.creator.smartqrcreator | 4cd13ce239f6567744a2b4e9819cb420c3e311e05c1afab9d784eb344c8d4868 | 10K + |
| finze.lockgti.dae.cag | 1b1d7e825c2299a17309074a2d411ee3480501e417482331f020d93a21c08e95 | 500+ |
| kk.f.ea.tew.t | 45cc6ac4b52492291bc572fa253dcc8db53b167080dd08490d16f8218b8ebfc3 | 100K + |
| com.xmas.girlsartwallpaper | 3b6639df04f9745ff74d9fe58dcd529d58208248358291d06e65e04aa2481d97 | 10K + |
| sc.qs.vak | e51585871b56d9c7707f8b41ab045dc26e11f976b519cc8e2fdc7a8cf79875e0 | 50K + |
| zzhse.ge.ge.ge.e | 16d5fd1ab5cb0bea28dfb7333b7b419b5de00024d391a3cd8dce9a0823e09cfc | 100K + |
| ice.ccylice.volume | cb9fc87ff97e398a4375062d5d5ab8d29706d830cd2ef6fcde5aea30f6f4a45d | 50K + |
| ck.lad.secret | 4240ca3ea6eba010ee3b169cda066d8beeb7b8bf7a065abfeac9b75a301a1706 | 10K + |
| smart.ggps.lockact | b720175c57ed84fe7fec73554dcf12e71c33e6a322a23b0663dc132edc7203ee | 10K + |
| am.asm.master | a00e1b5ca10efdf11fbd3c45349c4e3994134e3100a23f50df62a9398529b176 | 100K + |
| com.charging.show | c519c9b63ce046c737fe9c222436f4138acfe9de277cc4da6019b8c3533e9aa9 | 100K + |
| com.voice.sleep.sounds | 9885ef4f3dfff7962c8f2e319957d07755c192e68978962962492e60c73ac222 | 100K + |
| joao.de.def.e.aew | 0ecaee04b59c137760b7aafa46772a3be7e3581b36d79b5c61ea713ccfe5a386 | 10K + |
| ifa.nod.vys | 69f94ac8d1ce85d0904a3cafb7828b84e18ecd858a2d56aa4c2fdd1fd7afc02e | 10K + |
| qu.motor.astrology | 134aeabf2c66be6af458d5d51c22d237c1f260f1ab10dcb99b714eba5d8bff73 | 10K + |
| ice.ccylice.colorize | 449328469b38378ca1214c421305d0706dca6cc79a68ea2e5e2904a519968c03 | 10K + |
| gb.sixtycreativecyber.magiceleganttwo | 054f8bfa280654b0a5cc9b3a8652e438fb77dc63d66ffb10c06743ccf290342b | 50K + |
